CVE-2024-45784

Apache Airflow: Sensitive configuration values are not masked in the logs by default

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.

Las versiones de Apache Airflow anteriores a la 2.10.3 contienen una vulnerabilidad que podría exponer variables de configuración confidenciales en los registros de tareas. Esta vulnerabilidad permite a los autores de DAG registrar variables de configuración confidenciales de forma intencional o no intencionada. Los usuarios no autorizados podrían acceder a estos registros, lo que podría exponer datos críticos que podrían explotarse para comprometer la seguridad de la implementación de Airflow. En la versión 2.10.3, los secretos ahora están enmascarados en los registros de tareas para evitar que las variables de configuración confidenciales se expongan en la salida del registro. Los usuarios deben actualizar a Airflow 2.10.3 o la versión más reciente para eliminar esta vulnerabilidad. Si sospecha que los autores de DAG podrían haber registrado los valores secretos en los registros y que sus registros no están protegidos adicionalmente, también se recomienda que actualice esos secretos.

*Credits: Saurabh Banawar, Amogh Desai

CVSS Scores

CISAv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-09-08 CVE Reserved
2024-11-15 CVE Published
2024-11-15 CVE Updated
2024-11-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1295: Debug Messages Revealing Unnecessary Information

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/apache/airflow/pull/43040	2024-11-15

URL	Date	SRC
https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h	2024-11-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Airflow Search vendor "Apache Software Foundation" for product "Apache Airflow"				< 2.10.3 Search vendor "Apache Software Foundation" for product "Apache Airflow" and version " < 2.10.3"		en		Affected